Posts Tagged Spear Phishing

Phishing attacks are launched to steal sensitive user data comprising of passwords and important login credentials. The attacker generally masquerades itself as a legitimate sender and sends an email, message or link infected with malware. It is a type of social engineering attack that can have devastating results. There are numerous types of phishing attacks, here we have listed few:

Deceptive Phishing
It refers to an attack in which a hacker deceives the user by impersonating as a legitimate website but steals away a person’s personal information. An email with malicious content often posing as a threat or urgent message is sent to force the user to click it. For example, sometimes they send the user an email posing as a mail from their bank regarding some discrepancy in the account. The user, often in all the haste, clicks on the link and is directed to an illegitimate site that steals away their passwords & login credentials.

Spear Phishing
The hacker personalizes the attack. Emails are specifically addressed and have the target’s name, position, company name etc. mentioned in them to win the user’s trust. This is done to dupe the user and make them click on the malicious link. When once the user parts away with their confidential information, their login credentials and sensitive data is stolen.

Whaling
In this type of attack, the executives at the highest level are targeted. Generally the employees at top level do not undergo a security awareness training program which is why they are prone to cyber-whaling. An attempt is made to pitch the executives using specially designed emails or social engineered attacks. Then the attacker launches a BEC (Business Email Compromise) scam to use the executive’s email to initiate fraudulent wire transfer to a financial institution.

Pharming
This attack resorts to domain name system cache poisoning. The alphabetical website name is converted into numerical IP address which is used to locate computer devices. The attacker then directs the user to a malicious website even if the user entered a correct website name.

Mimic Phishing
An authentic website such as GoogleDocs, Dropbox etc. is mimicked to lure users to sign in. This way their passwords & login credentials are stolen.

How To Protect Yourself Against Such Attacks –

Carefully check the URL of the website before clicking on it.

Organizations must conduct employee training programs in which every employee should participate.

Companies must invest in software that have the ability to analyze inbound emails in order to keep a check over the malicious links/ email attachments.

Financial transactions should not be authorized through emails.

Only enter the websites that begin with – https as such sites are much secure.

Install a high quality anti-virus and update your system on a regular basis.

Spear phishing is a form of cyber-attack targeted towards an individual or organization to obtain confidential information. It is a social engineering technique that involves sending a spoofed email, which appears or claims to be from a legitimate source, asking the user to visit a website or click on a link. Though often intended to steal data that can be further used to initiate an attack, cyber criminals may also use spear phishing to install malware on the victim’s computer system.

Leverages Unknown Software Vulnerabilities: In a spear phishing attack, the hackers tend to exploit the unknown security loopholes in the users’ browsers, applications and plug-ins.

Lacks Spam Characteristics: The cybercriminals usually send personalized emails to the target users, hence making them different from the prevalent high-volume security attacks. Therefore, the anti-virus and anti-spyware programs are less likely to perceive these emails as a threat.

How Does Spear Phishing Work?

In order to launch a spear phishing attack, the hacker first needs to gain some insights about the target user so that a personalized email can be crafted. The information is often accessed through the user’s social media profiles and posts. After this, they send a well-crafted email to a user, often claiming to be from a bank or other authorized entity, provoking the user to take an action. These may involve:

Clicking on a link that redirect to a fake website asking the user to enter his user ID, password, bank account number, social security number etc.

Social Networks

Author

Abdul Subhani

I am the President & CEO of
Centex Technologies Microsoft Small Business Specialist, Certified E-Commerce Consultant, Certified Ethical Hacker, Certified Fraud Examiner, Virtual Instructor and an IT Consultant/Speaker on IT Security, Networking, Small Business Architect, & SEO Internet Marketing.

Certifications

Links

Twitter posts

We've been nominated for Small Business of the Year, Best I.T. Company, Young Entrepreneur of the Year, and CEO of the Year. Register and search for myself or Centex Technologies. It will only take you 5 minutes and I would greatly…lnkd.in/eqhaUXplnkd.in/erfAizd